Cyber Weekly Roundup – March 17, 2017

Written March 17th, 2017

Post Tags: Cyber

1.) The Economics of Ransomware: How SCADA/ISC Changes the Equation (March 8, 2017)


Summary: “Recent reports of SCADA/ICS proof-of-concept ransomware have spurred fresh discussion on the topic. Few threats exceed the level of concern that ransomware generates in the minds of corporations. There are some fundamental economics behind ransomware, though, that can help predict its evolution, particularly in view of the potential for attacks on public infrastructure.”

Why it matters: Viewing the economic forces (potential for profits) driving the evolution of Ransomware helps put into perspective why these attacks have grown so quickly, and how serious they can become. For those cybercriminals driven by the promise of netting bigger profits for their efforts, attacking higher value targets with a lower threshold for maximum acceptable outage increases the chances of getting paid (and getting paid quickly) when a SCADA systems or ISC is taken hostage. While attacking these systems will initially involve a higher degree of technical knowledge from cybercrime, subsequent versions of ransomware that are created and sold to cybercriminals by third parties will also no doubt see an opportunity for profit, and incorporate modules into their software that assist with this opportunistic attack vector.

2.) FBI Director Tells Companies Not to ‘Hack Back’ Against Hackers (March 8, 2017)

Summary: “Last week, a congressman proposed a bill that would allow companies to legally counterattack against hackers. But it’s not just the law that companies should take note of, Comey suggests.”

Why it matters: Continuing the conversation on hacking back, FBI director James Comey provided an additional potential detriment if a victim attempts to discover additional information, or retaliate against his attackers. In addition to the legal ramifications of hacking back, the act may disrupt law enforcement investigations against these criminals. Again, there are too many loose ends and uncertainties at this point to pass legislation on hacking back. If standards can be developed in tandem with some form of oversight into these attempts to hack back, companies may have a better idea of when they can retaliate/collect information on their attackers, and when they are overstepping the boundaries of the Computer Fraud and Abuse Act.

3.) Don’t know what a Honeypot is? Try this Analogy for Size (March 14, 2017):


Summary: “Technology uses a lot of jargon. If you follow the news, you’ve probably come across terms like encryption, zero day, or airgap. Perhaps you’ve even looked them up, only to find Wikipedia entries and Quora threads as befuddling as the terms themselves. An easier solution might be to hover over a phrase like “two factor authentication” in a story and get an analogy that explains that it is a security measure a bit “like a child safety lid” and that “a child may be able to press the lid down and twist it, but won’t know that you have to do both at the same time.”

Why it matters: As with any specialized profession, cyber security experts often must find the best way to convey technical concepts and risks to both technical and nontechnical individuals, from employees to senior leadership. The sideways dictionary offers analogies to technical jargon that may help non-cybersecurity professionals understand otherwise complicated technical concepts, and even allows contributions in the event there’s an alternative analogy that may better explain the concept.

4.) In-the-wild exploits ramp up against high-impact sites using Apache Struts (March 14, 2017):


Summary: Eight days after developers patched a critical flaw in the Apache Struts Web application framework, there has been no let-up in the volley of attacks attempting to exploit the vulnerability, which affects a disproportionate number of high-impact websites, a security researcher said Tuesday.

Why it Matters: the Apache Struts 2 vulnerability that was announced last week (https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/) continues to be a pain point for many organizations that run web apps created in the web application framework. Aside from serving as a point of awareness, this article is noteworthy because it shows how vulnerabilities in an application can have serious downstream effects. Even in cases where Apache Struts 2 has been patched, organizations can still be vulnerable if the web apps developed by the vulnerable version of Apache Struts 2 are not recompiled by the patched version. As a result, the standard routine of patch and reset is not enough, and fixing the issue will take additional time for organizations, as well as the risk of downtime, to redeploy their new application. Due to these challenges, as well as the simplicity to exploit this vulnerability, and the resultant exploit of remote code execution (valuable to blackhats because it allows them to install backdoors and malware onto the hacked device), it’s expected we will continue to hear about this vulnerability in the coming weeks and months.

5.) Active Defense Bill Raises Concerns Of Potential Consequences (March 7, 2017)


Summary: A discussion draft of the proposed bill “The Active Cyber Defense Act” has been proposed that would allow organizations and victims of “persistent unauthorized intrusion” into their network to hack back. Adding an amendment to section 1030 of the Computer Fraud and Abuse Act, this bill would exempt these organizations from prosecution for taking active cyber defense measures. These measures exclude causing destruction, or endangering public health or safety during the act of taking these defensive measures. Questions still remain on how this bill would handle the challenges of properly attributing attacks, the questions of search and seizure of information housed on remote devices by non-law enforcement officials, and if it would inspire online vigilantism.

Why it Matters: This is a timely piece, given NetCentrics’ recent look at the article “How the Private Sector Can Remake US Cybersecurity,” http://dailysignal.com/2017/01/31/how-the-private-sector-can-remake-us-cybersecurity/) which called for a similar allowance of “active defense” by private corporations. This bill provides the legal means for victims of persistent cyber attacks to take what Daily SIGNAL’s article described as an “active defense,” – a grey zone between passive defense and full-blown offensive cyber operations.

While there are benefits of allowing private citizens to defend their interests, there are many unanswered questions must be answered. With cyber criminals and nation-states actively working to make attribution of attacks more difficult, how do we as a society handle the inevitable possibility that the victim will end up “hacking-back” against the wrong person?  What if the attacker is utilizing a hacked device to serve as their command and control – does the victim have the right to collect data on this third party’s device? How do you judge “destruction” while considering the possibility that the attack is either sending the victim down the wrong trail or is hosted on an innocent bystanders’ device? What cost is acceptable if “hacking back” inadvertently brings their system down or leaks private information that isn’t relevant to the hacker?

Discussion on the topic is a good starting point, but ultimately we will need policy and standards to better understand what situations are acceptable to launch counter hacking efforts. Without a better understanding of these uncertainties, this bill will not be an effective deterrent to attackers.

6.) Spammers expose their entire operation through bad backups (March 6, 2017)


Summary: Due to poorly configured remote backup procedures using RSync, a massive spam operation run by U.S.-based firm River City Media was exposed by researchers at MacKeeper Security Research Center and The Spamhaus Project. The operation, which collected 1.4 billion identities that tied together real names, email addresses, and IP addresses, sent more than 1 billion messages daily.  Review of the chat logs on the faulty backup were indications that the company was researching exploitative behavior against mail servers, which may be illegal. Researchers have shared the data with relevant law enforcement agencies.

Why it Matters: Spam is still big business, and this recent data dump of River City Media’s day-to-day operations may help law enforcement with shutting this organization down, as well as assisting email services with configuring their devices to better intercept and block incoming spam. This article also is a good example of how security researchers make contributions to safeguarding online privacy and reducing malicious activity on the web.

7.) The Role of the Security Intelligence Analyst and the Three Main Elements of Cybersecurity (March 7, 2017)


Summary: This piece offers a brief explanation of Security Intelligence Analysts – why they are important to organizations, and how they can best utilize Threat Intelligence and Event Intelligence to report accurate, timely, and actionable information to their organization.

Why it Matters: This article highlights the importance of operational security within organizations. Cyber hygiene such as keeping patches and anti-virus updated will help block attacks, but the current state of cybersecurity is such that incidents have become much more sophisticated and need analysts to identify potential threats and events that match these threats. A good read for anyone interested in security intelligence analysis or organizations trying to come to grips how they can expand their cybersecurity program beyond the basics.